Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(57)

Issue 2658723006: [wasm] Syntax- and Type-aware Fuzzer (Closed)

Created:
3 years, 10 months ago by Eric Holk
Modified:
3 years, 10 months ago
Reviewers:
titzer, ahaas
CC:
v8-reviews_googlegroups.com
Target Ref:
refs/pending/heads/master
Project:
v8
Visibility:
Public.

Description

[wasm] Syntax- and Type-aware Fuzzer This is the beginning of a new fuzzer that generates correct-by-construction Wasm modules. This should allow us to better exercise the compiler and correctness aspects of fuzzing. It is based off of ahaas' original Wasm fuzzer. At the moment, it can generate expressions made up of most binops, and also nested blocks with unconditional breaks. Future CLs will add additional constructs, such as br_if, loops, memory access, etc. The way the fuzzer works is that it starts with an array of arbitrary data provided by libfuzzer. It uses the data to generate an expression. Care is taken to make use of the entire string. Basically, the generator has a bunch of grammar-like rules for how to construct an expression of a given type. For example, an i32 can be made by adding two other i32s, or by wrapping an i64. The process then continues recursively until all the data is consumed. We generate an expression from a slice of data as follows: * If the slice is less than or equal to the size of the type (e.g. 4 bytes for i32), then it will emit the entire slice as a constant. * Otherwise, it will consume the first 4 bytes of the slice and use this to select which rule to apply. Each rule then consumes the remainder of the slice in an appropriate way. For example: * Unary ops use the remainder of the slice to generate the argument. * Binary ops consume another four bytes and mod this with the length of the remaining slice to split the slice into two parts. Each of these subslices are then used to generate one of the arguments to the binop. * Blocks are basically like a unary op, but a stack of block types is maintained to facilitate branches. For blocks that end in a break, the first four bytes of a slice are used to select the break depth and the stack determines what type of expression to generate. The goal is that once this generator is complete, it will provide a one to one mapping between binary strings and valid Wasm modules. Review-Url: https://codereview.chromium.org/2658723006 Cr-Commit-Position: refs/heads/master@{#43289} Committed: https://chromium.googlesource.com/v8/v8/+/3e1db847b36885f2c40362d88884b7ef65af8271

Patch Set 1 #

Patch Set 2 : Added a test case found by the fuzzer #

Patch Set 3 : Added another found test case, which I think is the same bug. #

Patch Set 4 : Adding support for more binops, etc. #

Total comments: 32

Patch Set 5 : Code review feedback #

Total comments: 2

Patch Set 6 : fixing nits #

Unified diffs Side-by-side diffs Delta from patch set Stats (+496 lines, -2 lines) Patch
M BUILD.gn View 1 2 3 4 1 chunk +20 lines, -0 lines 0 comments Download
M test/fuzzer/fuzzer.gyp View 1 chunk +29 lines, -0 lines 0 comments Download
M test/fuzzer/fuzzer.isolate View 2 chunks +2 lines, -0 lines 0 comments Download
M test/fuzzer/testcfg.py View 1 chunk +4 lines, -3 lines 0 comments Download
A test/fuzzer/wasm-compile.cc View 1 2 3 4 5 1 chunk +442 lines, -0 lines 0 comments Download
A test/fuzzer/wasm_compile/foo View 0 chunks +-1 lines, --1 lines 0 comments Download

Messages

Total messages: 22 (7 generated)
Eric Holk
3 years, 10 months ago (2017-02-03 03:52:18 UTC) #3
Eric Holk
Adding Ben as a reviewer too.
3 years, 10 months ago (2017-02-03 21:46:43 UTC) #5
ahaas
On 2017/02/03 at 21:46:43, eholk wrote: > Adding Ben as a reviewer too. Why do ...
3 years, 10 months ago (2017-02-06 13:46:25 UTC) #6
ahaas
https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc File test/fuzzer/wasm-compile.cc (right): https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc#newcode45 test/fuzzer/wasm-compile.cc:45: uint32_t index = get<uint32_t>(); I think even a uint8_t ...
3 years, 10 months ago (2017-02-06 14:36:21 UTC) #7
Eric Holk
On 2017/02/06 13:46:25, ahaas wrote: > On 2017/02/03 at 21:46:43, eholk wrote: > > Adding ...
3 years, 10 months ago (2017-02-15 18:35:26 UTC) #8
ahaas
On 2017/02/15 at 18:35:26, eholk wrote: > On 2017/02/06 13:46:25, ahaas wrote: > > On ...
3 years, 10 months ago (2017-02-16 09:46:03 UTC) #9
Eric Holk
https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc File test/fuzzer/wasm-compile.cc (right): https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc#newcode45 test/fuzzer/wasm-compile.cc:45: uint32_t index = get<uint32_t>(); On 2017/02/06 14:36:21, ahaas wrote: ...
3 years, 10 months ago (2017-02-16 22:05:32 UTC) #10
Eric Holk
https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc File test/fuzzer/wasm-compile.cc (right): https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc#newcode211 test/fuzzer/wasm-compile.cc:211: const std::function<void(DataRange)> alternates[] = { On 2017/02/16 22:05:31, Eric ...
3 years, 10 months ago (2017-02-16 23:57:28 UTC) #11
Eric Holk
https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc File test/fuzzer/wasm-compile.cc (right): https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc#newcode211 test/fuzzer/wasm-compile.cc:211: const std::function<void(DataRange)> alternates[] = { On 2017/02/16 23:57:28, Eric ...
3 years, 10 months ago (2017-02-17 00:06:33 UTC) #12
ahaas
lgtm https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc File test/fuzzer/wasm-compile.cc (right): https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc#newcode45 test/fuzzer/wasm-compile.cc:45: uint32_t index = get<uint32_t>(); On 2017/02/16 at 22:05:31, ...
3 years, 10 months ago (2017-02-17 09:03:53 UTC) #13
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2658723006/100001
3 years, 10 months ago (2017-02-17 16:42:04 UTC) #16
Eric Holk
https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc File test/fuzzer/wasm-compile.cc (right): https://codereview.chromium.org/2658723006/diff/60001/test/fuzzer/wasm-compile.cc#newcode211 test/fuzzer/wasm-compile.cc:211: const std::function<void(DataRange)> alternates[] = { On 2017/02/17 09:03:52, ahaas ...
3 years, 10 months ago (2017-02-17 16:42:09 UTC) #17
commit-bot: I haz the power
Committed patchset #6 (id:100001) as https://chromium.googlesource.com/v8/v8/+/3e1db847b36885f2c40362d88884b7ef65af8271
3 years, 10 months ago (2017-02-17 17:06:36 UTC) #20
Michael Achenbach
gcc compilation for gcov fails since this commit: https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20gcov%20coverage/builds/7487 Could you please take a look?
3 years, 10 months ago (2017-02-20 10:15:00 UTC) #21
titzer
3 years, 10 months ago (2017-02-20 10:29:40 UTC) #22
Message was sent while issue was closed.
On 2017/02/20 10:15:00, Michael Achenbach wrote:
> gcc compilation for gcov fails since this commit:
>
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20gcov%20cov...
> 
> Could you please take a look?

I see the bug and have a fix. It's a one liner.

Powered by Google App Engine
This is Rietveld 408576698